It has been just a couple of weeks after the release of iWork ’09 –the most recent update to Apple’s productivity suite, the iWork, and already it’s getting its first taste of malware abuse.
A pirated version of iWork ’09 being distributed through a popular torrent site is reported containing a malicious file. Intego reports that this Trojan executes upon the installation of the pirated copy of iWork. It connects to a remote server and listens for commands from a remote user.
The said file is already detected by Trend Micro products as OSX_KROWI.A.
Researchers commented that the torrent file is currently being hosted, or more appropriately, being seeded, by approximately 500 users as of this writing. This indicates that users of that same number, and probably even much more, are now infected by this new Mac Trojan.
Furthermore, the fact that the torrent for this malicious file is being seeded by many users makes it attractive to torrent downloaders. As more seeders typically equate a faster download, this may cause the said file to gain popularity in the torrent sites, possibly increasing its download rate.
The release of iWork ‘09 has previously created a buzz because of Apple’s decision to no longer require a serial number in installing the program. This suggested that users who purchase a retail version of iWork ’09 will be able to install the software into any number of systems.
Though this may come as good news to iWork users, the reporters of The Register couldn’t help but express their skepticism. They speculate that this might just be Apple’s way of making users take the bait and utilizing iWork. Once the users are hooked, Apple will then reinstate the serial number rule in iWork ‘10, thus forcing the now increased number of iWork users to purchase the product.
Trend Micro will update this report once more information is available. Also, Mac users who want to acquire iWork for their machine are advised to just borrow a CD from a friend with a legitimate copy rather than downloading copies from untrustworthy online sources.
Update as of January 23 2009, 10 PM, PST
Analysis by Trend Micro researchers have revealed that OSX_KROWI.A modifies an attribute of the installation folder by executing the command chmod 755 to set read and execute access for everyone and also grants write access for its owner.
It registers itself as a startup item on the affected machine to enable automatic execution. It also executes the following P2P commands upon acquiring Internet connection:
Update as of January 26 2009, 11 PM, PST
Researchers also found a Trojan hidden in pirated versions of Adobe Photoshop for Mac, distributed through torrents too. While the software installer itself appears ok, its cracking application perform malicious routines when run. Trend Micro also detects the file as OSX_KROWI.A.